Cybersecurity compliance, governance, and disclosure practices have evolved significantly over the past decade. As we have noted in prior blog posts, the U.S. Securities and Exchange Commission is requiring cybersecurity disclosures for public companies. But public companies are not alone in being subject to threats; small and mid-size businesses are also likely targets of cyber-criminals. It is important for all businesses to regularly review and update their cybersecurity policies and procedures.
In February 2024, the National Institute of Standards and Technology (“NIST”) (an agency within the U.S. Department of Commerce) updated its Cybersecurity Framework (“CSF”) to CSF 2.0. CSF 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. Broadening its original scope, which was primarily targeted at critical infrastructure industries such as hospitals and utilities, CSF 2.0 is designed to help organizations of all sizes and sectors to manage and reduce cybersecurity risk. Of course, cybersecurity best practices are not uniform across every organization. Best practices for a particular organization must be tailored to its unique risks and objectives, which CSF 2.0 hopes to enable.
The NIST encourages CSF 2.0 to be used to address organizational cybersecurity risk alongside other risks to the enterprise that have compliance controls in place, such as financial, data privacy, supply chain, and others. CSF 2.0 expands prior guidance and now highlights the importance of governance and supply chains. The CSF describes outcomes (or functions) that are desired, then maps to potential controls to help achieve those outcomes.
The CSF Core functions organize categories of desired outcomes:
- Govern – The overall organization’s cybersecurity risk management strategy, expectations, and policy – and how those are established, communicated, and monitored.
- Identify – Thorough understanding of the organization’s current cybersecurity risks and opportunities.
- Protect – Safeguards to manage the risks and opportunities identified in the Identify function.
- Detect – Finding and analyzing possible cybersecurity attacks and compromises.
- Respond – Actions taken in response to detected cybersecurity incidents.
- Recover – Restoration of assets and operations affected by a cybersecurity incident.
Incorporating risk management practices such as those described in CSF 2.0 will align your business with known best practices and strengthen its defenses against cybercriminals.
[View source.]